Jump to content

jyoder

Members
  • Posts

    12
  • Joined

  • Last visited

Everything posted by jyoder

  1. Thank you again for all the assistance, I would have ended up re-imaging the machine otherwise. John
  2. Interestingly enough, the last run i did, found a couple of issues as you can see below Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 7070 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 7/12/2011 5:12:28 AM mbam-log-2011-07-12 (05-12-28).txt Scan type: Quick scan Objects scanned: 186464 Time elapsed: 12 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I ran another, and it is now clean
  3. Reloaded Mcafee, but now my pc is running slow again, may need to change anti-virus programs do i need to run defrogger again to reset whatever it turned off?
  4. Ok, removed old version, and installed new one, no issues. JMY
  5. Ok, ran all three, and attached logs below. dds.txt log.txt Report 2011-07-11 12.03.05.txt
  6. Combo Fix log attached, BTW, it always says it is producing a log in c:, but never does, so i create it manually in Notepad Mbrcheck log attached. PC seems to be running good, let me know what else you find. Can i reenable mcafee? Can i run DeFogger again? Thanks for all your help combofix.txt MBRCheck_07.11.11_08.37.11.txt
  7. After I ran Combofix the first time, i ran malwarebytes and it found some items and fixed them. I then made the changes you indicated and ran combofix again, and now I am attaching that log. combofix.txt
  8. OK, Ran Combofix, and the log is attached. comboFixx.txt
  9. Ok, here is the summary Tried to uninstall Mcaffee via windows control panel, that did not work, so I downloaded and ran MCPR which appeared to work ok Downloaded and Ran BitRemover, but it launched and then gave me a problem encountered error and quit Ran maxhandle, no log produced Ran Maxlook, then restarted in console mode and ran batch look.bat, which copied many files. Restared and ran maxlook again and it produced this log file Run from C:\Documents and Settings\user\Desktop\maxlook.exe on Sun 07/10/2011 at 21:03:43.71 No infected file found Rogue configuration file = C:\WINDOWS\system32\config\qayvndzo Downloaded and Ran TDSKiller, No infected files found. Log is here 2011/07/10 21:08:30.0046 0948 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21 2011/07/10 21:08:30.0531 0948 ================================================================================ 2011/07/10 21:08:30.0531 0948 SystemInfo: 2011/07/10 21:08:30.0531 0948 2011/07/10 21:08:30.0531 0948 OS Version: 5.1.2600 ServicePack: 3.0 2011/07/10 21:08:30.0531 0948 Product type: Workstation 2011/07/10 21:08:30.0531 0948 ComputerName: USER-67AE9613E6 2011/07/10 21:08:30.0531 0948 UserName: user 2011/07/10 21:08:30.0531 0948 Windows directory: C:\WINDOWS 2011/07/10 21:08:30.0531 0948 System windows directory: C:\WINDOWS 2011/07/10 21:08:30.0531 0948 Processor architecture: Intel x86 2011/07/10 21:08:30.0531 0948 Number of processors: 2 2011/07/10 21:08:30.0531 0948 Page size: 0x1000 2011/07/10 21:08:30.0531 0948 Boot type: Normal boot 2011/07/10 21:08:30.0531 0948 ================================================================================ 2011/07/10 21:08:32.0062 0948 Initialize success 2011/07/10 21:08:41.0718 2508 ================================================================================ 2011/07/10 21:08:41.0718 2508 Scan started 2011/07/10 21:08:41.0718 2508 Mode: Manual; 2011/07/10 21:08:41.0718 2508 ================================================================================ 2011/07/10 21:08:44.0625 2508 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS 2011/07/10 21:08:45.0281 2508 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0 2011/07/10 21:08:45.0406 2508 Boot (0x1200) (73b0d4775ff201fb5828f14a663542c4) \Device\Harddisk0\DR0\Partition0 2011/07/10 21:08:45.0406 2508 ================================================================================ 2011/07/10 21:08:45.0406 2508 Scan finished 2011/07/10 21:08:45.0406 2508 ================================================================================ 2011/07/10 21:08:45.0421 2480 Detected object count: 0 2011/07/10 21:08:45.0421 2480 Actual detected object count: 0 Should i continue with your original instructions and download combofix, or stop here?
  10. I started with the What to do now that I am infected post. I tried to run Malwarebytes, but it starts and then closes. I next ran DeFogger, and it appeared to work, but did not ask me to re-boot (I've attached the log) I then ran DDS, and the DDS text is here . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by user at 23:22:29 on 2011-07-05 . ============== Running Processes =============== . \\.\globalroot\Device\svchost.exe\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\dcmsvc\dcmsvc.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\McAfee Online Backup\MOBKbackup.exe C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Documents and Settings\user\Desktop\dds.scr C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = 192.168.*.*;127.0.0.1;*.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: {119f2450-e741-4864-bde8-5d6cc7b57c62} - c:\windows\system32\Audio3d32.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110524184747.dll BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Network Drive Mapping Utility] "c:\program files\linksys\network storage\Network Drive Mapping Utility.exe" uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [Network Drive Mapping Utility] "c:\program files\linksys\network storage\Network Drive Mapping Utility.exe" Z mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart mRun: [cleanhtm] %APPDATA%\cleanhtm.exe IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll LSP: mswsock.dll Trusted Zone: intuit.com\ttlc DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235695049980 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553512000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 TCP: Interfaces\{B2E88B60-41B1-4808-8054-2043AFD9B6C8} : DhcpNameServer = 209.18.47.61 209.18.47.62 Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: igfxcui - igfxdev.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll AppInit_DLLs: c:\windows\system32\l2gpstore32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL Hosts: 67.205.118.181 www.google.com Hosts: 67.205.118.182 search.yahoo.com Hosts: 67.205.118.182 www.bing.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\bgh3fmuk.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.steepandcheap.com/|http://www.newsnet5.com/|http://news.yahoo.com/|https://login.secureserver.net/index.php?app=wbe FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p= FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\bgh3fmuk.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true FF - user.js: browser.sessionstore.resume_from_crash - false . ============= SERVICES / DRIVERS =============== . R? Amazon Download Agent;Amazon Download Agent R? BTCFilterService;USB Networking Driver Filter Service R? FileMonitor;FileMonitor R? IMFservice;IMF Service R? mfendisk;McAfee Core NDIS Intermediate Filter R? mferkdet;McAfee Inc. mferkdet R? motandroidusb;Mot ADB Interface Driver R? motccgp;Motorola USB Composite Device Driver R? motccgpfl;MotCcgpFlService R? Motousbnet;Motorola USB Networking Driver Service R? motport;Motorola USB Diagnostic Port R? motusbdevice;Motorola USB Dev Driver R? osppsvc;Office Software Protection Platform R? PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP) R? PTHSMDM;PANTECH Handset Drivers (UDP) R? PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP) R? RegFilter;RegFilter R? SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver R? UrlFilter;UrlFilter S? cfwids;McAfee Inc. cfwids S? LBeepKE;LBeepKE S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service S? McMPFSvc;McAfee Personal Firewall Service S? McNaiAnn;McAfee VirusScan Announcer S? McProxy;McAfee Proxy Service S? McShield;McAfee McShield S? mfeavfk;McAfee Inc. mfeavfk S? mfebopk;McAfee Inc. mfebopk S? mfefire;McAfee Firewall Core Service S? mfefirek;McAfee Inc. mfefirek S? mfehidk;McAfee Inc. mfehidk S? mfendiskmp;mfendiskmp S? mfetdi2k;McAfee Inc. mfetdi2k S? mfevtp;McAfee Validation Trust Protection Service S? MOBKbackup;McAfee Online Backup S? MOBKFilter;MOBKFilter S? MotoHelper;MotoHelper Service S? SASDIFSV;SASDIFSV S? SASKUTIL;SASKUTIL . =============== Created Last 30 ================ . 2011-07-06 03:08:31 -------- d-----w- C:\TDSSKiller_Quarantine 2011-07-06 03:07:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-06 03:07:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-06 03:07:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-06 02:50:29 -------- d-----w- C:\remove 2011-07-02 20:30:25 94 ----a-w- c:\windows\system32\swork.bat 2011-07-02 20:30:25 348160 ----a-w- c:\windows\system32\lwxw.exe 2011-07-02 19:39:57 562176 ----a-w- c:\windows\system32\ksuser32.exe 2011-07-02 16:08:12 25984 ----a-w- c:\windows\system32\drivers\1227187334.sys 2011-07-02 15:36:48 0 ---ha-w- c:\documents and settings\user\axduezwxzu.tmp 2011-06-27 21:05:51 172032 --sha-w- c:\windows\system32\l2gpstore32.dll 2011-06-27 21:05:35 562176 ----a-w- c:\windows\system32\Audio3d32.exe 2011-06-27 21:05:33 557568 ----a-w- c:\windows\system32\mcdsrv3232.exe 2011-06-27 21:05:32 359424 ----a-w- c:\windows\system32\Audio3d32.dll 2011-06-25 12:09:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll 2011-06-25 12:09:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll 2011-06-24 19:46:27 -------- d-----w- c:\documents and settings\user\application data\IObit 2011-06-24 19:46:24 -------- d-----w- c:\program files\IObit 2011-06-23 16:39:48 -------- d-----w- c:\documents and settings\user\application data\SUPERAntiSpyware.com 2011-06-23 16:39:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com 2011-06-23 16:39:31 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-06-23 11:23:31 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes 2011-06-23 11:23:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-06-23 10:54:26 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys 2011-06-23 10:54:26 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2011-06-23 10:49:25 86656 ----a-w- C:\atapi.sys . ==================== Find3M ==================== . 2011-07-06 03:10:17 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys 2011-07-06 02:58:16 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys 2011-05-20 13:10:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-22 18:13:00 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-04-22 18:13:00 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr . ============= FINISH: 23:29:57.67 =============== I then ran the GMER, it started, but when i pushed Scan, after unchecking the three items, i just closed, and would not let me run it again. I did also run rkill, then tried my mcafee, and malware bytes again. Mcafee found a number of process and terminated them, but could not remove them, and malware simply starts to run and then terminates. I'm attaching the other two logs to this post and waiting for suggestions. attach.zip defogger_disable.zip
  11. I started with the What to do now that I am infected post. I tried to run Malwarebytes, but it starts and then closes. I next ran DeFogger, and it appeared to work, but did not ask me to re-boot (I've attached the log) I then ran DDS, and the DDS text is here . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by user at 23:22:29 on 2011-07-05 . ============== Running Processes =============== . \\.\globalroot\Device\svchost.exe\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\dcmsvc\dcmsvc.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\McAfee Online Backup\MOBKbackup.exe C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Documents and Settings\user\Desktop\dds.scr C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = 192.168.*.*;127.0.0.1;*.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: {119f2450-e741-4864-bde8-5d6cc7b57c62} - c:\windows\system32\Audio3d32.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110524184747.dll BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Network Drive Mapping Utility] "c:\program files\linksys\network storage\Network Drive Mapping Utility.exe" uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [Network Drive Mapping Utility] "c:\program files\linksys\network storage\Network Drive Mapping Utility.exe" Z mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart mRun: [cleanhtm] %APPDATA%\cleanhtm.exe IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll LSP: mswsock.dll Trusted Zone: intuit.com\ttlc DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235695049980 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553512000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 TCP: Interfaces\{B2E88B60-41B1-4808-8054-2043AFD9B6C8} : DhcpNameServer = 209.18.47.61 209.18.47.62 Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: igfxcui - igfxdev.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll AppInit_DLLs: c:\windows\system32\l2gpstore32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL Hosts: 67.205.118.181 www.google.com Hosts: 67.205.118.182 search.yahoo.com Hosts: 67.205.118.182 www.bing.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\bgh3fmuk.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.steepandcheap.com/|http://www.newsnet5.com/|http://news.yahoo.com/|https://login.secureserver.net/index.php?app=wbe FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p= FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\bgh3fmuk.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true FF - user.js: browser.sessionstore.resume_from_crash - false . ============= SERVICES / DRIVERS =============== . R? Amazon Download Agent;Amazon Download Agent R? BTCFilterService;USB Networking Driver Filter Service R? FileMonitor;FileMonitor R? IMFservice;IMF Service R? mfendisk;McAfee Core NDIS Intermediate Filter R? mferkdet;McAfee Inc. mferkdet R? motandroidusb;Mot ADB Interface Driver R? motccgp;Motorola USB Composite Device Driver R? motccgpfl;MotCcgpFlService R? Motousbnet;Motorola USB Networking Driver Service R? motport;Motorola USB Diagnostic Port R? motusbdevice;Motorola USB Dev Driver R? osppsvc;Office Software Protection Platform R? PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP) R? PTHSMDM;PANTECH Handset Drivers (UDP) R? PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP) R? RegFilter;RegFilter R? SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver R? UrlFilter;UrlFilter S? cfwids;McAfee Inc. cfwids S? LBeepKE;LBeepKE S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service S? McMPFSvc;McAfee Personal Firewall Service S? McNaiAnn;McAfee VirusScan Announcer S? McProxy;McAfee Proxy Service S? McShield;McAfee McShield S? mfeavfk;McAfee Inc. mfeavfk S? mfebopk;McAfee Inc. mfebopk S? mfefire;McAfee Firewall Core Service S? mfefirek;McAfee Inc. mfefirek S? mfehidk;McAfee Inc. mfehidk S? mfendiskmp;mfendiskmp S? mfetdi2k;McAfee Inc. mfetdi2k S? mfevtp;McAfee Validation Trust Protection Service S? MOBKbackup;McAfee Online Backup S? MOBKFilter;MOBKFilter S? MotoHelper;MotoHelper Service S? SASDIFSV;SASDIFSV S? SASKUTIL;SASKUTIL . =============== Created Last 30 ================ . 2011-07-06 03:08:31 -------- d-----w- C:\TDSSKiller_Quarantine 2011-07-06 03:07:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-06 03:07:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-06 03:07:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-06 02:50:29 -------- d-----w- C:\remove 2011-07-02 20:30:25 94 ----a-w- c:\windows\system32\swork.bat 2011-07-02 20:30:25 348160 ----a-w- c:\windows\system32\lwxw.exe 2011-07-02 19:39:57 562176 ----a-w- c:\windows\system32\ksuser32.exe 2011-07-02 16:08:12 25984 ----a-w- c:\windows\system32\drivers\1227187334.sys 2011-07-02 15:36:48 0 ---ha-w- c:\documents and settings\user\axduezwxzu.tmp 2011-06-27 21:05:51 172032 --sha-w- c:\windows\system32\l2gpstore32.dll 2011-06-27 21:05:35 562176 ----a-w- c:\windows\system32\Audio3d32.exe 2011-06-27 21:05:33 557568 ----a-w- c:\windows\system32\mcdsrv3232.exe 2011-06-27 21:05:32 359424 ----a-w- c:\windows\system32\Audio3d32.dll 2011-06-25 12:09:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll 2011-06-25 12:09:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll 2011-06-24 19:46:27 -------- d-----w- c:\documents and settings\user\application data\IObit 2011-06-24 19:46:24 -------- d-----w- c:\program files\IObit 2011-06-23 16:39:48 -------- d-----w- c:\documents and settings\user\application data\SUPERAntiSpyware.com 2011-06-23 16:39:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com 2011-06-23 16:39:31 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-06-23 11:23:31 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes 2011-06-23 11:23:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-06-23 10:54:26 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys 2011-06-23 10:54:26 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2011-06-23 10:49:25 86656 ----a-w- C:\atapi.sys . ==================== Find3M ==================== . 2011-07-06 03:10:17 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys 2011-07-06 02:58:16 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys 2011-05-20 13:10:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-22 18:13:00 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-04-22 18:13:00 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr . ============= FINISH: 23:29:57.67 =============== I then ran the GMER, it started, but when i pushed Scan, after unchecking the three items, i just closed, and would not let me run it again. I'm attaching the other two logs to this post and waiting for suggestions. attach.zip defogger_disable.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.